From df2c3e83e550ae020baf885479ea2800a19997fe Mon Sep 17 00:00:00 2001
From: David Lönnhager <david.l@mullvad.net>
Date: Thu, 4 Apr 2024 15:46:37 +0200
Subject: Add macOS 13 support by filtering direction from pktap header

---
 talpid-core/src/split_tunnel/macos/bindings.rs         |  1 +
 .../src/split_tunnel/macos/generate-bindings.sh        |  1 +
 talpid-core/src/split_tunnel/macos/tun.rs              | 18 +++++++++++++++---
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/talpid-core/src/split_tunnel/macos/bindings.rs b/talpid-core/src/split_tunnel/macos/bindings.rs
index 311158b610..1ff1727892 100644
--- a/talpid-core/src/split_tunnel/macos/bindings.rs
+++ b/talpid-core/src/split_tunnel/macos/bindings.rs
@@ -1,5 +1,6 @@
 /* automatically generated by rust-bindgen 0.69.2 */
 
+pub const PTH_FLAG_DIR_OUT: u32 = 2;
 pub const PCAP_ERRBUF_SIZE: u32 = 256;
 pub type __int32_t = ::std::os::raw::c_int;
 pub type __darwin_pid_t = __int32_t;
diff --git a/talpid-core/src/split_tunnel/macos/generate-bindings.sh b/talpid-core/src/split_tunnel/macos/generate-bindings.sh
index e78e03fde2..a56fe69d2d 100755
--- a/talpid-core/src/split_tunnel/macos/generate-bindings.sh
+++ b/talpid-core/src/split_tunnel/macos/generate-bindings.sh
@@ -18,4 +18,5 @@ bindgen "include/bindings.h" -o ./bindings.rs \
     --allowlist-item "^pktap_header" \
     --allowlist-item "PCAP_ERRBUF_SIZE" \
     --allowlist-item "^BIOCSWANTPKTAP" \
+    --allowlist-item "^PTH_FLAG_DIR_OUT" \
     --allowlist-item "^bpf_stat"
diff --git a/talpid-core/src/split_tunnel/macos/tun.rs b/talpid-core/src/split_tunnel/macos/tun.rs
index 7263f6c7bd..1121bdb2df 100644
--- a/talpid-core/src/split_tunnel/macos/tun.rs
+++ b/talpid-core/src/split_tunnel/macos/tun.rs
@@ -2,7 +2,9 @@
 //! either the default interface or a VPN tunnel interface.
 
 use super::{
-    bindings::{pcap_create, pcap_set_want_pktap, pktap_header, PCAP_ERRBUF_SIZE},
+    bindings::{
+        pcap_create, pcap_set_want_pktap, pktap_header, PCAP_ERRBUF_SIZE, PTH_FLAG_DIR_OUT,
+    },
     bpf,
     default::DefaultInterface,
 };
@@ -663,8 +665,10 @@ fn capture_outbound_packets(
         .open()
         .map_err(Error::CaptureSplitTunnelDevice)?;
 
-    cap.direction(pcap::Direction::Out)
-        .map_err(Error::SetDirection)?;
+    // TODO: This is unsupported on macOS 13 and lower, so we determine the direction using the
+    //       pktap header flags. Once macOS 13 is no longer supported, this can be uncommented.
+    //cap.direction(pcap::Direction::Out)
+    //    .map_err(Error::SetDirection)?;
 
     let cap = cap.setnonblock().map_err(Error::EnableNonblock)?;
     let stream = cap
@@ -709,6 +713,14 @@ impl PacketCodec for PktapCodec {
             _ => return None,
         };
 
+        // TODO: `Capture::direction` is unsupported on macOS 13 and lower, so we determine the
+        //       direction using the pktap header. Once macOS 13 is no longer supported, this can
+        //       be removed.
+        if header.pth_flags ^ PTH_FLAG_DIR_OUT == 0 {
+            // Ignore incoming packets
+            return None;
+        }
+
         let iface = unsafe { CStr::from_ptr(header.pth_ifname.as_ptr() as *const _) };
         if iface.to_bytes() != self.interface.as_bytes() {
             return None;
-- 
cgit v1.3-3-g829e